• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > Events > Capture The Flag > CTF Example – Wireless Security

CTF Example – Wireless Security

January 16, 2017 By Ken Smith

Each of RSM’s previous Capture the Flag events has included a challenge in which participants were tasked with tracking down a specific wireless access point. There are many examples of the practical applications of being able to accomplish such a task. These include manually verifying potential rogue access points and signal triangulation (which is an entire science in and of itself).

The first step is to make sure we can see the network. The easiest way to accomplish this is to bring up the list of available wireless networks on one’s phone or laptop. The standard options will do for now. There is no need for specific tools just yet.

Figure 1 is just a default read-out from an Android phone. The second figure is a standard list from Windows 7.

android
Figure 1: Android WiFi Read-out
windows
Figure 2: Windows WiFi Read-out

 

 

 

 

 

 

 

 

 

 

While we could continue to proceed using the standard options, the process will be significantly streamlined if we use a specialty tool.

Wireless Tools

If you have access to an Android phone or tablet, I would recommend WiFiFoFum. This app will scan for wireless networks and display information about each including: network name, encryption type, and, most importantly, signal strength. By default, the application displays signal strength as the familiar WiFi bars. Your first step after downloading the app should be to go into the configuration menu and under RSSI (“Received Signal Strength Indicator”), select “Decibels.”  While it is possible to track access points (AP) with the bars, it’s not super precise.  Don’t worry about the Near or Radar tabs. They will not help you. Instead, return to the WiFi tab. The app displays wireless networks in order or signal strength and frequency of probe requests observed. The closer the RSSI value gets to 0 (less negative), the stronger the signal. As the signal gets stronger, the more likely it is that the distance is shrinking between the observer and the AP.

I’ve done some searching, but there doesn’t appear to be a decent WiFi signal strength finder app for stock iOS. It is possible to install WiFiFoFum through the Cydia Store if you have a jailbroken iPhone. The other option is to use a program like NetStumbler for Windows on a standard laptop. In either case, your process will generally be the same.

Walking the Room

The mistake most people make when trying to locate APs is the bee-line. When tracking down a wireless signal, don’t attempt to go straight towards the source. There are too many variables for a single point reader (ie: your phone or tablet) this to be a consistently effective strategy. Instead, start in the corner of a room. Walk slowly along the wall and take mental (or written) notes of the strength at multiple points along the wall. Then, do the same for a second wall perpendicular to the first. Treat the resulting picture (mental or otherwise) as a grid. find the points along both walls where the signal was the strongest. Find where those two points meet. If there was only one peak along a single wall, the AP may be in the next room over.

See the pictures below for some potential scenarios. The first example shows a single room with three long tables. The second scenario depicts a two room setup. Obviously, the real world is rarely this simple. But the basic technique never changes.

Figure 3: Tracking Wireless APs
Figure 3: Tracking Wireless APs

Final Thoughts

Don’t forget to think in three dimensions! In there are multiple floors, the AP may be above or beneath you. When the signal strength gets to -20 db or lower, you’re likely right on top of the AP! Remember to keep your eyes open and to use your hands to sift search; the AP could be hidden or out of plain sight! For more information on how signals bounce around, you can refer to an older post of mine on the basics of wireless!

Share this...
  • Reddit
  • Email
  • Facebook
  • Twitter
  • Linkedin

Ken Smith

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • DLL Injection Part 1: SetWindowsHookEx 10.8k views
  • Sophos UTM Home Edition – 3 – The Setup 10.8k views
  • Leveraging MS16-032 with PowerShell Empire 10k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.9k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2023 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.